
Certainly! Here's a comprehensive list of commands commonly used for data transfer over the internet:

FTP (File Transfer Protocol):

ftp: Connects to an FTP server for transferring files.
get: Downloads a file from the FTP server to your local machine.
put: Uploads a file from your local machine to the FTP server.
SCP (Secure Copy):

scp: Securely copies files between hosts on a network using SSH encryption.
scp <source> <destination>: Copies a file from the source location to the destination location.
SFTP (SSH File Transfer Protocol):

sftp: Opens an interactive session for secure file transfers.
get: Downloads a file from the remote server to your local machine.
put: Uploads a file from your local machine to the remote server.
rsync:

rsync: Synchronizes files and directories between different locations, either locally or remotely.
rsync <source> <destination>: Copies files from the source location to the destination, minimizing data transfer by transferring only the differences between the source and destination.
cURL (Client URL):

curl: Transfers data to or from a server using various protocols (HTTP, FTP, SCP, etc.).
curl -O <URL>: Downloads a file from a specified URL to the current directory.
curl -T <file> <URL>: Uploads a file to a specified URL.
Wget:

wget: Downloads files from the internet using HTTP, HTTPS, or FTP protocols.
wget <URL>: Downloads a file from a specified URL to the current directory.
Git:

git clone <repository URL>: Clones a Git repository from a remote server to your local machine.
git push: Uploads local changes to a remote Git repository.
git pull: Downloads and incorporates remote changes into your local Git repository.
Rclone:

rclone copy <source> <destination>: Copies files between local and remote locations using various cloud storage providers (e.g., Google Drive, Amazon S3, Dropbox, etc.).
rclone sync <source> <destination>: Synchronizes files between the source and destination, ensuring that both locations have an identical copy.
FTPS (FTP over SSL/TLS):

lftp: A powerful command-line FTP client that supports FTPS.
lftp -u <username>,<password> <host>: Connects to an FTPS server with the specified username, password, and hostname.
SSH (Secure Shell):

ssh: Establishes a secure shell connection to a remote server.
scp: Copies files between hosts using SSH encryption.
sftp: Opens an interactive session for secure file transfers.
Remember to refer to the specific command's documentation and usage guidelines for a detailed understanding of their options and parameters.


#Here's an example query you can use to identify potential data exfiltration events:

process_events
| where process_file_name in~ ("*.docx", "*.xlsx", "*.pdf") and (process_port_name == "https" or process_port_name == "ftp")
| where process_terminated = true and process_exit_code != 0
| extend process_path = extract(@"[a-zA-Z0-9\s-\\_\.]*$", 0, process_full_path)
| project event_id, device_id, process_path, process_file_name, process_command_line, process_username, process_parent_path, process_terminated_time, process_exit_code



#example of a more comprehensive query in CrowdStrike Falcon Query Language (FQL) that can be used to identify potential data exfiltration events:

process_events
| where process_terminated = true
| where process_exit_code != 0
| where (
    (process_port_name == "https" or process_port_name == "ftp") and
    (
        process_file_name contains ".docx" or
        process_file_name contains ".xlsx" or
        process_file_name contains ".pdf" or
        process_file_name contains ".zip"
    )
  )
| extend process_path = extract(@"[a-zA-Z0-9\s-\\_\.]*$", 0, process_full_path)
| extend process_parent_path = extract(@"[a-zA-Z0-9\s-\\_\.]*$", 0, process_parent_path)
| project event_id, device_id, process_path, process_file_name, process_command_line, process_username, process_parent_path, process_terminated_time, process_exit_code



#Here's an example of a more effective and comprehensive query in CrowdStrike Falcon Query Language (FQL) to identify potential data exfiltration events:


process_events
| where process_terminated = true
| where process_exit_code != 0
| where process_file_name in~ (".docx", ".xlsx", ".pdf", ".zip")
| where process_port_name in~ ("https", "ftp", "sftp", "rsync", "scp")
| extend process_path = extract(@"[a-zA-Z0-9\s-\\_\.]*$", 0, process_full_path)
| extend process_parent_path = extract(@"[a-zA-Z0-9\s-\\_\.]*$", 0, process_parent_path)
| project event_id, device_id, process_path, process_file_name, process_command_line, process_username, process_parent_path, process_terminated_time, process_exit_code


# Here's an example of a more effective and reliable query in CrowdStrike Falcon Query Language (FQL) to identify potential data exfiltration events:


process_events
| where process_terminated = true
| where process_exit_code != 0
| where (
    process_file_name in~ (".docx", ".xlsx", ".pdf", ".zip") or
    process_command_line contains "curl" or
    process_command_line contains "wget" or
    process_command_line contains "scp" or
    process_command_line contains "sftp" or
    process_command_line contains "rsync" or
    process_command_line contains "git push" or
    process_command_line contains "git pull"
  )
| where process_port_name in~ ("https", "ftp", "sftp", "rsync", "git")
| extend process_path = extract(@"[a-zA-Z0-9\s-\\_\.]*$", 0, process_full_path)
| extend process_parent_path = extract(@"[a-zA-Z0-9\s-\\_\.]*$", 0, process_parent_path)
| project event_id, device_id, process_path, process_file_name, process_command_line, process_username, process_parent_path, process_terminated_time, process_exit_code


#CrowdStrike query that can help detect data exfiltration:

event_simpleName = "NetworkSession"
AND event_type = "network"
AND (event_description CONTAINS "outbound connection"
OR event_description CONTAINS "file upload"
OR event_description CONTAINS "data exfiltration")


#Here's an example of an FQL query that can help you detect potential data exfiltration:

SELECT
  timestamp,
  UserName,
  LocalIP,
  RemoteIP,
  RemotePort,
  Protocol,
  Domain,
  Url,
  UserAgent,
  Filepath,
  FileSize
FROM
  network
WHERE
  (RemotePort = 80 OR RemotePort = 443)
  AND (Protocol = 'tcp' OR Protocol = 'udp')
  AND (FileSize > 1048576)
  AND (Url LIKE '%.zip' OR Url LIKE '%.rar' OR Url LIKE '%.tar' OR Url LIKE '%.gz' OR Url LIKE '%.7z')
ORDER BY
  timestamp DESC

#Here's an example query you can use in CrowdStrike to detect data exfiltration:

event_simpleName:"NetworkConnectionEvent"
AND event_type:"network"
AND event_direction:"outbound"
AND (event_data_srcPort:80 OR event_data_srcPort:443)
AND (event_data_dstPort:80 OR event_data_dstPort:443)
AND (event_data_dstFileName:"*.zip" OR event_data_dstFileName:"*.rar" OR event_data_dstFileName:"*.7z" OR event_data_dstFileName:"*.tar" OR event_data_dstFileName:"*.tgz" OR event_data_dstFileName:"*.gz" OR event_data_dstFileName:"*.bz2" OR event_data_dstFileName:"*.xz" OR event_data_dstFileName:"*.zst" OR event_data_dstFileName:"*.csv" OR event_data_dstFileName:"*.txt" OR event_data_dstFileName:"*.doc" OR event_data_dstFileName:"*.docx" OR event_data_dstFileName:"*.xls" OR event_data_dstFileName:"*.xlsx" OR event_data_dstFileName:"*.ppt" OR event_data_dstFileName:"*.pptx")


#As a software engineer, I can suggest the following CrowdStrike query to detect data exfiltration:

event_simpleName = "NetworkFlow"
AND direction = "outbound"
AND (app = "http OR app = "https")
AND (dest_port = 80 OR dest_port = 443)
AND (dest_ip != 192.168.0.0/16 AND dest_ip != 172.16.0.0/12 AND dest_ip != 10.0.0.0/8)

#Sure, here's another CrowdStrike query to detect data exfiltration:

event_simpleName = "FileEvent"
AND action = "write"
AND file_path != "C:\Windows\*AND file_path != "C:\Program Files\*"
AND file_path != "C:\Program Files (x86)\*"
AND file_path != "C:\ProgramData\*"


#Sure, here's an updated CrowdStrike query to detect data exfiltration that is more effective:

event_simpleName = "NetworkFlow"
AND direction = "outbound"
AND (app =http" OR app = "https")
AND (dest_port = 80 OR dest_port = 443)
AND (dest_ip != 192.168.0.0/16 AND dest_ip != 172.16.0.0/ AND dest_ip != 10.0.0.0/8)
AND (bytes_out > 1000000)

Sure, here's an updated CrowdStrike query to detect data exfiltration that is more effective and reliable:

event_simpleName = "NetworkFlow"
AND direction = "outbound"
AND (app = "http" OR app = "https")
AND (dest_port = 80 OR dest_port = 443)
AND (dest_ip != 192.168.0.0/16 AND dest_ip != 172.16.0.0/12 AND dest_ip != 10.0.0.0/8)
AND (bytes_out > 1000000)
AND (user_name != "SYSTEM" AND user_name != "LOCAL SERVICE" AND user_name != "NETWORK SERVICE")



#Sure, here's an example of a SIEM condition to detect data exfiltration:

Event Type: Network Traffic
Source IP: Any
Destination IP: External IP Address
Destination Port: Any
Protocol: TCP
Event Count: > 100

#Sure, here's an updated SIEM condition to detect data exfiltration that is more effective and reliable:

Event Type: Network Traffic
Source IP: Internal IP Address
Destination IP: External IP Address
Destination Port: 80 or 443
Protocol: TCP
Event Count: > 100
Data Volume: > 1 MB


Sure, here's an example of an ArcSight SIEM condition to detect data exfiltration:

Event Type: Network Traffic
Source IP: Internal IP Address
Destination IP: External IP AddressDestination Port: 80 or 443
Protocol: TCP
Event Count: > 100
Data Volume: > 1 MB

